Resubmissions
15-05-2023 19:47
230515-yhplyaff21 8Analysis
-
max time kernel
141s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
15-05-2023 19:47
Static task
static1
Behavioral task
behavioral1
Sample
NordVPNSetup.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
NordVPNSetup.exe
Resource
win10v2004-20230220-en
General
-
Target
NordVPNSetup.exe
-
Size
1.7MB
-
MD5
59cb69a08fdd9cb4b0539e3356df1d4d
-
SHA1
0c773a0a76f821780c002d527bee387b98904569
-
SHA256
bea34078c360c71fcadc1a86ebd397d081f0d589913ad43970c1a3983231f522
-
SHA512
51d4f3d396d183bc5dcaaa0a26cf024fade9b5e5c0e73e1d2ee7663ba26bc55e799beb488d5bab8d8252147b33df6ea1209ebd730124a919940e899758842ec2
-
SSDEEP
24576:u7FUDowAyrTVE3U5Fg23TD2D+Fz3ifFUwo433RfFcdnOtksSm:uBuZrEUWq0t9D7l
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
NordVPNSetup.tmppid process 2568 NordVPNSetup.tmp -
Loads dropped DLL 3 IoCs
Processes:
NordVPNSetup.tmppid process 2568 NordVPNSetup.tmp 2568 NordVPNSetup.tmp 2568 NordVPNSetup.tmp -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
NordVPNSetup.tmpdescription pid process Token: SeDebugPrivilege 2568 NordVPNSetup.tmp -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
NordVPNSetup.exedescription pid process target process PID 2028 wrote to memory of 2568 2028 NordVPNSetup.exe NordVPNSetup.tmp PID 2028 wrote to memory of 2568 2028 NordVPNSetup.exe NordVPNSetup.tmp PID 2028 wrote to memory of 2568 2028 NordVPNSetup.exe NordVPNSetup.tmp
Processes
-
C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe"C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Users\Admin\AppData\Local\Temp\is-NDN0K.tmp\NordVPNSetup.tmp"C:\Users\Admin\AppData\Local\Temp\is-NDN0K.tmp\NordVPNSetup.tmp" /SL5="$80044,890440,866304,C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2568
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40KB
MD5b18bd486c5718397bc65d77a16ce2593
SHA158fe73e27c5c04e6915c5358f698f7fe8c2b5af8
SHA2560bbf32b0553ca1292602e8c2c0458e075fdee2c8b6ef8ea81e924a86bc065f3c
SHA512f4ffa1c8983914c41657fecc11c9324caa5899ad875b9687da8ffcf79ab189f19d6f926e16f09f240de9e6b22e26691fae785ed95657af310de5bf6c58ce8e0e
-
Filesize
40KB
MD5b18bd486c5718397bc65d77a16ce2593
SHA158fe73e27c5c04e6915c5358f698f7fe8c2b5af8
SHA2560bbf32b0553ca1292602e8c2c0458e075fdee2c8b6ef8ea81e924a86bc065f3c
SHA512f4ffa1c8983914c41657fecc11c9324caa5899ad875b9687da8ffcf79ab189f19d6f926e16f09f240de9e6b22e26691fae785ed95657af310de5bf6c58ce8e0e
-
Filesize
40KB
MD5b18bd486c5718397bc65d77a16ce2593
SHA158fe73e27c5c04e6915c5358f698f7fe8c2b5af8
SHA2560bbf32b0553ca1292602e8c2c0458e075fdee2c8b6ef8ea81e924a86bc065f3c
SHA512f4ffa1c8983914c41657fecc11c9324caa5899ad875b9687da8ffcf79ab189f19d6f926e16f09f240de9e6b22e26691fae785ed95657af310de5bf6c58ce8e0e
-
Filesize
40KB
MD5b18bd486c5718397bc65d77a16ce2593
SHA158fe73e27c5c04e6915c5358f698f7fe8c2b5af8
SHA2560bbf32b0553ca1292602e8c2c0458e075fdee2c8b6ef8ea81e924a86bc065f3c
SHA512f4ffa1c8983914c41657fecc11c9324caa5899ad875b9687da8ffcf79ab189f19d6f926e16f09f240de9e6b22e26691fae785ed95657af310de5bf6c58ce8e0e
-
Filesize
3.1MB
MD529ca787f3a0d83846b7318d02fccb583
SHA1b3688c01bef0e9f1fe62dc831926df3ca92b3778
SHA256746b972e21acb59e4086b5b25fe53ef2cddcecfa94dd56ad68c8e5bab9960c3c
SHA512a6c21bf5590dc91a5d9bc729d9c04c20b54341d3270efd2fb7d2b548d7dc7b23a1a351147a07dfd569e901a608cb44533304de10725cb02fec781cada80b8e3b